Back-to-School: Aus dem Klassenzimmer des CAS Information Security & Risk Management. Basis für diesen Lehrgang ist das BSI-Grundschutzhandbuch, und die Teilnehmenden bereiten sich begleitend auf die CISSP-Prüfung vor. Somit ist es ein Teil des 15-tägigen Lehrgangs, ein CISSP- oder BSI-Fachthema als Blogpost aufzubereiten:

Information Security: Information security standards today

To start this blog I would like to point out the difference between Information Security and IT Security. Both subjects are sometimes mixed up due to a resembling name. Information Security not only takes into account the “information technology” but the entire information data which is to be found in a business. Information Security can be defined as an act to prevent any modification, destruction or unauthorized use of (data) information. IT Security is a part of Information security, concerning the Digital data and IT assets. To maintain business data, Information Security is built on three fundamental pillars: confidentiality, integrity and availability. Multiple standards have been developed over the past years, and some are still evolving as e.g. Cyber Security. The actual Information Security standards are based on these three pillars. In this blog you can find an overview of some actual standards. ISO 2700x – recommendations on information security management provided by International Standardization Organization. ISO 2700X is divided in multiple subcategories such as guidelines and measures which can be applied in ISMS to help a company in the organization of the security risks and to control them BSI – Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik), The BSI investigates security risks associated with the use of IT and develops preventive security measures. It provides information on risks and threats relating to the use of information technology and seeks out appropriate solutions (definition according to BSI website www.bsi.bund.de) ISACA – Information Systems Audit and Control Associations, has developed COBIT (Control objectives for information and related Technology) a framework that handles aspects of IT governance and risk assessment ITSEC – Information Technology Security Evaluation Criteria is a structured set of criteria for evaluating computer security within products and systems IETF – Internet Engineering Task Force: a group working on Internet security e.g. DNS security, IPv6, network traffic encryption IEEE – Institute of Electrical and Electronics Engineers Standards – creates standards in information Technology. E.g. 802 LAN (Local area network) PCI DSS – Payment Card Industry Data Security System – standards and policies created to optimize the security of information about credit, debit and cash cards. Information Security has also developed in regional standards, e.g. per continent: ETSI – European Telecommunications Standards Institute which creates standards within Europe on telecommunication e.g. electronic signatures, smartcards ANSI – American National Standards Institute BSIA – British Security Industry Association, an association for the security industry in UK, develops codes of practice and technical documents such as access control and information destruction ENISA – European Network and Information Security Agency INCITS – International Committee for Information Technology Standards – creates standards for different areas e.g. cyber security, RFID Nowadays, big companys also have a person in charge of Information Security , often this person is not directly linked to a superior but reporting to the board (but this is not obligatory) – he or she is called a CISO: A Chief information security officer who is typically in charge of selecting, implementing and monitoring the efficiency and effectiveness of Cyber Security standards for her or his organization.

---

Blogpost wurde erstellt im Rahmen vom CAS Information Security & Risk Management. Dozenten in diesem sehr praxisorientierten Lehrgang sind: Lukas Fässler (FSDZ Rechtsanwälte & Notariat AG) Rainer Kessler (Governance Concept GmbH), Andreas Wisler (goSecurity GmbH) Beim nächsten CAS live dabei sein? Hier der Link zur Ausschreibung CAS Information Security & Risk Management Persönliche Beratung für den Lehrgang gewünscht? Einfach Prof. Martina Dalla Vecchia ein E-Mail schreiben und einen Termin vorschlagen.